[c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

[Vinny_Abello at Dell.com]

We saw something similar with Global Crossing on and off where any IPSec tunnels we had that transited their network would have loss over the tunnel with the encrypted traffic, but no loss from peer to peer. Removing Global Crossing from the equation solved the issue. I couldn't imagine how they were accomplishing that other than perhaps QoS or rate-limiting involving ESP or UDP 4500 traffic which was very hard to prove. I don't know of an esptraceroute tool. :)

-Vinny

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dustin Schuemann
Sent: Wednesday, October 05, 2011 9:22 PM
To: Phil Mayers
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

Today I also noticed that all these connections are going over comcast
business. Anyone seen anything like this?

On Tue, Sep 27, 2011 at 5:43 PM, Dustin Schuemann <dschuemann at gmail.com>wrote:

> Do you have any other suggestions. TAC is kinda going around in circles.
> On Sep 27, 2011, at 3:43 AM, Phil Mayers wrote:
>
> > On 09/27/2011 12:38 AM, Dustin Schuemann wrote:
> >> Disabling CEF didn't correct the issue.
> >>
> >
> > I'm not surprised. I'm amazed TAC would even suggest it.
> >
> > Disabling CEF on modern IOS isn't sensible. The slower code paths don't
> get properly tested any more, and whole (large) chunks of functionality only
> exist as CEF code.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/